cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1787
Views
0
Helpful
1
Replies

Multiple user IDs on one authentication system

Plundstedt
Level 1
Level 1

One of the first systems we integrated with Duo is our Palo Alto GlobalProtect VPN. When we began enrolling individuals in the system, one of the first things we discovered was that users could get around the Duo prompt by using their email address as a username, instead of their sAMAccountName. We’re an O365 and SkypeforBiz customer and are required to have the email address setup as a SIPAddress.

Is there any way to either
a) setup multiple usernames in Duo that can authenticate through an application?
-or-
b) disallow users from using a secondary user ID other than their sAMAccountName? We’re not seeing anything like this in our GlobalProtect instance.

1 Accepted Solution

Accepted Solutions

mkorovesisduo
Level 4
Level 4

Hi Plundstet,

I spoke with our support team and here are responses to your questions:

a) Yes, by enabling Username Normalization. Please ensure that Username normalization for your Palo Alto application is set to “Simple.”

b) Yes. If your New User Policy is set to Allow Access, set it to Deny Access. If I am understanding you correctly, you have more than one “style” of username that your users are trying to use to log in. If you are alright with enforcing sAMAccountName as the only accepted username, setting this policy to Deny Access would block users from completing authentication with their email.

We are actively exploring more complex username aliasing features that would accommodate formats beyond email address and sAMAccountName in the future, but I don’t have a timeline to share for that feature at this time.

View solution in original post

1 Reply 1

mkorovesisduo
Level 4
Level 4

Hi Plundstet,

I spoke with our support team and here are responses to your questions:

a) Yes, by enabling Username Normalization. Please ensure that Username normalization for your Palo Alto application is set to “Simple.”

b) Yes. If your New User Policy is set to Allow Access, set it to Deny Access. If I am understanding you correctly, you have more than one “style” of username that your users are trying to use to log in. If you are alright with enforcing sAMAccountName as the only accepted username, setting this policy to Deny Access would block users from completing authentication with their email.

We are actively exploring more complex username aliasing features that would accommodate formats beyond email address and sAMAccountName in the future, but I don’t have a timeline to share for that feature at this time.

Quick Links